commit f825afa1e17b3aeba49c8b509a0849f7fedc8220 Author: CentOS Sources Date: Fri Apr 24 03:55:04 2020 +0000 import wget-1.19.5-10.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..39e8ee9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/wget-1.19.5.tar.gz diff --git a/.wget.metadata b/.wget.metadata new file mode 100644 index 0000000..4c26eea --- /dev/null +++ b/.wget.metadata @@ -0,0 +1 @@ +43b3d09e786df9e8d7aa454095d4ea2d420ae41c SOURCES/wget-1.19.5.tar.gz diff --git a/SOURCES/wget-1.17-path.patch b/SOURCES/wget-1.17-path.patch new file mode 100644 index 0000000..3d14610 --- /dev/null +++ b/SOURCES/wget-1.17-path.patch @@ -0,0 +1,172 @@ +diff --git a/NEWS b/NEWS +index d23ae95..aa3247f 100644 +--- a/NEWS ++++ b/NEWS +@@ -935,7 +935,7 @@ distributed with Wget. + + ** Compiles on pre-ANSI compilers. + +-** Global wgetrc now goes to /usr/local/etc (i.e. $sysconfdir). ++** Global wgetrc now goes to /etc (i.e. $sysconfdir). + + ** Lots of bugfixes. + +@@ -998,7 +998,7 @@ Emacs, standalone info, or converted to HTML, dvi or postscript. + ** Fixed a long-standing bug, so that Wget now works over SLIP + connections. + +-** You can have a system-wide wgetrc (/usr/local/lib/wgetrc by ++** You can have a system-wide wgetrc (/etc/wgetrc by + default). Settings in $HOME/.wgetrc override the global ones, of + course :-) + +diff --git a/README b/README +index 692e1c6..38231c9 100644 +--- a/README ++++ b/README +@@ -33,7 +33,7 @@ for socks. + + Most of the features are configurable, either through command-line + options, or via initialization file .wgetrc. Wget allows you to +-install a global startup file (/usr/local/etc/wgetrc by default) for ++install a global startup file (/etc/wgetrc by default) for + site settings. + + Wget works under almost all Unix variants in use today and, unlike +diff --git a/doc/sample.wgetrc b/doc/sample.wgetrc +index c0d0779..9a73ada 100644 +--- a/doc/sample.wgetrc ++++ b/doc/sample.wgetrc +@@ -10,7 +10,7 @@ + ## Or online here: + ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File + ## +-## Wget initialization file can reside in /usr/local/etc/wgetrc ++## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -22,7 +22,7 @@ + + + ## +-## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff --git a/doc/sample.wgetrc.munged_for_texi_inclusion b/doc/sample.wgetrc.munged_for_texi_inclusion +index 3c7f2f4..521ef16 100644 +--- a/doc/sample.wgetrc.munged_for_texi_inclusion ++++ b/doc/sample.wgetrc.munged_for_texi_inclusion +@@ -10,7 +10,7 @@ + ## Or online here: + ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File + ## +-## Wget initialization file can reside in /usr/local/etc/wgetrc ++## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -22,7 +22,7 @@ + + + ## +-## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff --git a/doc/wget.info b/doc/wget.info +index 40ce0d4..89c6652 100644 +--- a/doc/wget.info ++++ b/doc/wget.info +@@ -109,7 +109,7 @@ retrieval through HTTP proxies. + • Most of the features are fully configurable, either through command + line options, or via the initialization file ‘.wgetrc’ (*note + Startup File::). Wget allows you to define “global” startup files +- (‘/usr/local/etc/wgetrc’ by default) for site settings. You can ++ (‘/etc/wgetrc’ by default) for site settings. You can + also specify the location of a startup file with the –config + option. To disable the reading of config files, use –no-config. + If both –config and –no-config are given, –no-config is ignored. +@@ -2825,8 +2825,8 @@ File: wget.info, Node: Wgetrc Location, Next: Wgetrc Syntax, Prev: Startup Fi + =================== + + When initializing, Wget will look for a “global” startup file, +-‘/usr/local/etc/wgetrc’ by default (or some prefix other than +-‘/usr/local’, if Wget was not installed there) and read commands from ++‘/etc/wgetrc’ by default (or some prefix other than ++‘/etc’, if Wget was not installed there) and read commands from + there, if it exists. + + Then it will look for the user’s file. If the environmental variable +@@ -2837,7 +2837,7 @@ further attempts will be made. + + The fact that user’s settings are loaded after the system-wide ones + means that in case of collision user’s wgetrc _overrides_ the +-system-wide wgetrc (in ‘/usr/local/etc/wgetrc’ by default). Fascist ++system-wide wgetrc (in ‘/etc/wgetrc’ by default). Fascist + admins, away! + +  +@@ -3380,7 +3380,7 @@ its line. + ## Or online here: + ## https://www.gnu.org/software/wget/manual/wget.html#Startup-File + ## +- ## Wget initialization file can reside in /usr/local/etc/wgetrc ++ ## Wget initialization file can reside in /etc/wgetrc + ## (global, for all users) or $HOME/.wgetrc (for a single user). + ## + ## To use the settings in this file, you will have to uncomment them, +@@ -3392,7 +3392,7 @@ its line. + + + ## +- ## Global settings (useful for setting up in /usr/local/etc/wgetrc). ++ ## Global settings (useful for setting up in /etc/wgetrc). + ## Think well before you change them, since they may reduce wget's + ## functionality, and make it behave contrary to the documentation: + ## +diff --git a/doc/wget.texi b/doc/wget.texi +index eaf6b38..608d008 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -190,7 +190,7 @@ gauge can be customized to your preferences. + Most of the features are fully configurable, either through command line + options, or via the initialization file @file{.wgetrc} (@pxref{Startup + File}). Wget allows you to define @dfn{global} startup files +-(@file{/usr/local/etc/wgetrc} by default) for site settings. You can also ++(@file{/etc/wgetrc} by default) for site settings. You can also + specify the location of a startup file with the --config option. + To disable the reading of config files, use --no-config. + If both --config and --no-config are given, --no-config is ignored. +@@ -199,7 +199,7 @@ If both --config and --no-config are given, --no-config is ignored. + @ignore + @c man begin FILES + @table @samp +-@item /usr/local/etc/wgetrc ++@item /etc/wgetrc + Default location of the @dfn{global} startup file. + + @item .wgetrc +@@ -3154,8 +3154,8 @@ commands. + @cindex location of wgetrc + + When initializing, Wget will look for a @dfn{global} startup file, +-@file{/usr/local/etc/wgetrc} by default (or some prefix other than +-@file{/usr/local}, if Wget was not installed there) and read commands ++@file{/etc/wgetrc} by default (or some prefix other than ++@file{/etc}, if Wget was not installed there) and read commands + from there, if it exists. + + Then it will look for the user's file. If the environmental variable +@@ -3166,7 +3166,7 @@ If @code{WGETRC} is not set, Wget will try to load @file{$HOME/.wgetrc}. + + The fact that user's settings are loaded after the system-wide ones + means that in case of collision user's wgetrc @emph{overrides} the +-system-wide wgetrc (in @file{/usr/local/etc/wgetrc} by default). ++system-wide wgetrc (in @file{/etc/wgetrc} by default). + Fascist admins, away! + + @node Wgetrc Syntax, Wgetrc Commands, Wgetrc Location, Startup File diff --git a/SOURCES/wget-1.19.5-Add-TLS-1.3-support-for-GnuTLS.patch b/SOURCES/wget-1.19.5-Add-TLS-1.3-support-for-GnuTLS.patch new file mode 100644 index 0000000..9ff5b6c --- /dev/null +++ b/SOURCES/wget-1.19.5-Add-TLS-1.3-support-for-GnuTLS.patch @@ -0,0 +1,110 @@ +From 2bbdfd76dab187ab29e22bed18d737f94343e629 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Tue, 4 Sep 2018 11:22:14 +0200 +Subject: [PATCH] Add TLS 1.3 support for GnuTLS + +* doc/wget.texi: Add "TLSv1_3" to --secure-protocol +* src/gnutls.c (set_prio_default): Use GNUTLS_TLS1_3 where needed + +Wget currently allows specifying "TLSv1_3" as the parameter for +--secure-protocol option. However it is only implemented for OpenSSL +and in case wget is compiled with GnuTLS, it causes wget to abort with: +GnuTLS: unimplemented 'secure-protocol' option value 6 + +GnuTLS contains TLS 1.3 implementation since version 3.6.3 [1]. However +currently it must be enabled explicitly in the application of it to be +used. This will change after the draft is finalized. [2] However for +the time being, I enabled it explicitly in case "TLSv1_3" is used with +--secure-protocol. + +I also fixed man page to contain "TLSv1_3" in all listings of available +parameters for --secure-protocol + +[1] https://lists.gnupg.org/pipermail/gnutls-devel/2018-July/008584.html +[2] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html + +Signed-off-by: Tomas Hozza +--- + doc/wget.texi | 6 +++--- + src/gnutls.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+), 3 deletions(-) + +diff --git a/doc/wget.texi b/doc/wget.texi +index 38b4a245..7ae19d8e 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -1780,9 +1780,9 @@ If Wget is compiled without SSL support, none of these options are available. + @cindex SSL protocol, choose + @item --secure-protocol=@var{protocol} + Choose the secure protocol to be used. Legal values are @samp{auto}, +-@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2} +-and @samp{PFS}. If @samp{auto} is used, the SSL library is given the +-liberty of choosing the appropriate protocol automatically, which is ++@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2}, ++@samp{TLSv1_3} and @samp{PFS}. If @samp{auto} is used, the SSL library is ++given the liberty of choosing the appropriate protocol automatically, which is + achieved by sending a TLSv1 greeting. This is the default. + + Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, +diff --git a/src/gnutls.c b/src/gnutls.c +index 07844c52..206d0b09 100644 +--- a/src/gnutls.c ++++ b/src/gnutls.c +@@ -565,6 +565,15 @@ set_prio_default (gnutls_session_t session) + err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL); + break; + ++ case secure_protocol_tlsv1_3: ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:+VERS-TLS1.3:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL); ++ break; ++#else ++ logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n")); ++ return -1; ++#endif ++ + case secure_protocol_pfs: + err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL); + if (err != GNUTLS_E_SUCCESS) +@@ -596,19 +605,38 @@ set_prio_default (gnutls_session_t session) + allowed_protocols[0] = GNUTLS_TLS1_0; + allowed_protocols[1] = GNUTLS_TLS1_1; + allowed_protocols[2] = GNUTLS_TLS1_2; ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ allowed_protocols[3] = GNUTLS_TLS1_3; ++#endif + err = gnutls_protocol_set_priority (session, allowed_protocols); + break; + + case secure_protocol_tlsv1_1: + allowed_protocols[0] = GNUTLS_TLS1_1; + allowed_protocols[1] = GNUTLS_TLS1_2; ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ allowed_protocols[2] = GNUTLS_TLS1_3; ++#endif + err = gnutls_protocol_set_priority (session, allowed_protocols); + break; + + case secure_protocol_tlsv1_2: + allowed_protocols[0] = GNUTLS_TLS1_2; ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ allowed_protocols[1] = GNUTLS_TLS1_3; ++#endif ++ err = gnutls_protocol_set_priority (session, allowed_protocols); ++ break; ++ ++ case secure_protocol_tlsv1_3: ++#if GNUTLS_VERSION_NUMBER >= 0x030603 ++ allowed_protocols[0] = GNUTLS_TLS1_3; + err = gnutls_protocol_set_priority (session, allowed_protocols); + break; ++#else ++ logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n")); ++ return -1; ++#endif + + default: + logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol); +-- +2.17.1 + diff --git a/SOURCES/wget-1.19.5-CVE-2019-5953.patch b/SOURCES/wget-1.19.5-CVE-2019-5953.patch new file mode 100644 index 0000000..767fe98 --- /dev/null +++ b/SOURCES/wget-1.19.5-CVE-2019-5953.patch @@ -0,0 +1,18 @@ +diff --git a/src/iri.c b/src/iri.c +index 7dcf3ac..1c8695c 100644 +--- a/src/iri.c ++++ b/src/iri.c +@@ -189,9 +189,10 @@ do_conversion (const char *tocode, const char *fromcode, char const *in_org, siz + { + tooshort++; + done = len; +- len = outlen = done + inlen * 2; +- s = xrealloc (s, outlen + 1); +- *out = s + done; ++ len = done + inlen * 2; ++ s = xrealloc (s, len + 1); ++ *out = s + done - outlen; ++ outlen += inlen * 2; + } + else /* Weird, we got an unspecified error */ + { diff --git a/SOURCES/wget-1.19.5-Don-t-limit-the-test-suite-HTTPS-server-to-TLSv1.patch b/SOURCES/wget-1.19.5-Don-t-limit-the-test-suite-HTTPS-server-to-TLSv1.patch new file mode 100644 index 0000000..3a71d23 --- /dev/null +++ b/SOURCES/wget-1.19.5-Don-t-limit-the-test-suite-HTTPS-server-to-TLSv1.patch @@ -0,0 +1,41 @@ +From 8990d706da3e32b12debd9b8dea7b42134631770 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Fri, 10 Aug 2018 14:32:13 +0200 +Subject: [PATCH] Don't limit the test suite HTTPS server to TLSv1 + +In Fedora, we are implementing crypto policies, in order to enhance the +security of user systems. This is done on the system level by global +configuration. It may happen that due to the active policy, only +TLSv1.2 or higher will be available in crypto libraries. While wget as +a client will by default determine the minimal TLS version supported by +both client and server, the HTTPS server implementation in testenv/ +hardcodes use of TLSv1. As a result all HTTPS related tests fail in +case a more hardened crypto policy is set on the Fedora system. + +This change removes the explicit TLS version setting and leaves the +determination of the minimal supported TLS version on the server and +client. + +More information about Fedora change can be found here: +https://fedoraproject.org/wiki/Changes/StrongCryptoSettings + +Signed-off-by: Tomas Hozza +--- + testenv/server/http/http_server.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py +index 434666dd..6d8fc9e8 100644 +--- a/testenv/server/http/http_server.py ++++ b/testenv/server/http/http_server.py +@@ -49,7 +49,6 @@ class HTTPSServer(StoppableHTTPServer): + 'server-key.pem')) + self.socket = ssl.wrap_socket( + sock=socket.socket(self.address_family, self.socket_type), +- ssl_version=ssl.PROTOCOL_TLSv1, + certfile=CERTFILE, + keyfile=KEYFILE, + server_side=True +-- +2.17.1 + diff --git a/SOURCES/wget-1.19.5-Dont-save-userpw-with---xattr.patch b/SOURCES/wget-1.19.5-Dont-save-userpw-with---xattr.patch new file mode 100644 index 0000000..b091230 --- /dev/null +++ b/SOURCES/wget-1.19.5-Dont-save-userpw-with---xattr.patch @@ -0,0 +1,116 @@ +From 83c408842b80b4ed26a3fe8a61177846dda18c60 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Wed, 26 Dec 2018 14:38:18 +0100 +Subject: [PATCH] Don't save user/pw with --xattr + +--- + src/ftp.c | 2 +- + src/http.c | 4 ++-- + src/xattr.c | 24 ++++++++++++++++++++---- + src/xattr.h | 3 ++- + 4 files changed, 25 insertions(+), 8 deletions(-) + +diff --git a/src/ftp.c b/src/ftp.c +index daaae93..c02ed02 100644 +--- a/src/ftp.c ++++ b/src/ftp.c +@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n")); + + #ifdef ENABLE_XATTR + if (opt.enable_xattr) +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + #endif + + fd_close (local_sock); +diff --git a/src/http.c b/src/http.c +index 499a43b..18e58e9 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, + if (opt.enable_xattr) + { + if (original_url != u) +- set_file_metadata (u->url, original_url->url, fp); ++ set_file_metadata (u, original_url, fp); + else +- set_file_metadata (u->url, NULL, fp); ++ set_file_metadata (u, NULL, fp); + } + #endif + +diff --git a/src/xattr.c b/src/xattr.c +index 6652422..0f20fad 100644 +--- a/src/xattr.c ++++ b/src/xattr.c +@@ -21,6 +21,7 @@ + #include + + #include "log.h" ++#include "utils.h" + #include "xattr.h" + + #ifdef USE_XATTR +@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp) + #endif /* USE_XATTR */ + + int +-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) ++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp) + { + /* Save metadata about where the file came from (requested, final URLs) to + * user POSIX Extended Attributes of retrieved file. +@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp) + * [http://0pointer.de/lennart/projects/mod_mime_xattr/]. + */ + int retval = -1; ++ char *value; + + if (!origin_url || !fp) + return retval; + +- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp); +- if ((!retval) && referrer_url) +- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp); ++ value = url_string (origin_url, URL_AUTH_HIDE); ++ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp); ++ xfree (value); ++ ++ if (!retval && referrer_url) ++ { ++ struct url u; ++ ++ memset(&u, 0, sizeof(u)); ++ u.scheme = referrer_url->scheme; ++ u.host = referrer_url->host; ++ u.port = referrer_url->port; ++ ++ value = url_string (&u, 0); ++ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp); ++ xfree (value); ++ } + + return retval; + } +diff --git a/src/xattr.h b/src/xattr.h +index 10f3ed1..40c7a8d 100644 +--- a/src/xattr.h ++++ b/src/xattr.h +@@ -16,12 +16,13 @@ + along with this program; if not, see . */ + + #include ++#include + + #ifndef _XATTR_H + #define _XATTR_H + + /* Store metadata name/value attributes against fp. */ +-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp); ++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp); + + #if defined(__linux) + /* libc on Linux has fsetxattr (5 arguments). */ +-- +2.17.2 + diff --git a/SOURCES/wget-1.19.5-Dont-use-extended-attributes---xattr-by-default.patch b/SOURCES/wget-1.19.5-Dont-use-extended-attributes---xattr-by-default.patch new file mode 100644 index 0000000..566ea97 --- /dev/null +++ b/SOURCES/wget-1.19.5-Dont-use-extended-attributes---xattr-by-default.patch @@ -0,0 +1,62 @@ +From 0e991351c8bd3996bfc396402a67445abcf1319e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20R=C3=BChsen?= +Date: Wed, 26 Dec 2018 13:51:48 +0100 +Subject: [PATCH] Don't use extended attributes (--xattr) by default + +--- + doc/wget.texi | 8 ++++++++ + src/init.c | 4 ---- + src/main.c | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/doc/wget.texi b/doc/wget.texi +index 66edab8..d672bbf 100644 +--- a/doc/wget.texi ++++ b/doc/wget.texi +@@ -540,6 +540,14 @@ right NUMBER. + Set preferred location for Metalink resources. This has effect if multiple + resources with same priority are available. + ++@cindex xattr ++@item --xattr ++Enable use of file system's extended attributes to save the ++original URL and the Referer HTTP header value if used. ++ ++Be aware that the URL might contain private information like ++access tokens or credentials. ++ + + @cindex force html + @item -F +diff --git a/src/init.c b/src/init.c +index eb81ab4..800970c 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -509,11 +509,7 @@ defaults (void) + opt.hsts = true; + #endif + +-#ifdef ENABLE_XATTR +- opt.enable_xattr = true; +-#else + opt.enable_xattr = false; +-#endif + } + + /* Return the user's home directory (strdup-ed), or NULL if none is +diff --git a/src/main.c b/src/main.c +index 81db931..6ac1621 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -754,7 +754,7 @@ Download:\n"), + #endif + #ifdef ENABLE_XATTR + N_("\ +- --no-xattr turn off storage of metadata in extended file attributes\n"), ++ --xattr turn on storage of metadata in extended file attributes\n"), + #endif + "\n", + +-- +2.17.2 + diff --git a/SOURCES/wget-1.19.5-Enable-post-handshake-auth-under-gnutls-on-TLS1.3.patch b/SOURCES/wget-1.19.5-Enable-post-handshake-auth-under-gnutls-on-TLS1.3.patch new file mode 100644 index 0000000..c0a2437 --- /dev/null +++ b/SOURCES/wget-1.19.5-Enable-post-handshake-auth-under-gnutls-on-TLS1.3.patch @@ -0,0 +1,141 @@ +From c11cc83d9ee9230f090c2400a57bbd562905d782 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Mon, 8 Oct 2018 10:42:22 +0200 +Subject: [PATCH] Enable post-handshake auth under gnutls on TLS1.3 + +--- + src/gnutls.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 96 insertions(+) + +diff --git a/src/gnutls.c b/src/gnutls.c +index 206d0b09..a2c9d1c1 100644 +--- a/src/gnutls.c ++++ b/src/gnutls.c +@@ -60,6 +60,11 @@ as that of the covered work. */ + static int + _do_handshake (gnutls_session_t session, int fd, double timeout); + ++#if GNUTLS_VERSION_NUMBER >= 0x030604 ++static int ++_do_reauth (gnutls_session_t session, int fd, double timeout); ++#endif ++ + static int + key_type_to_gnutls_type (enum keyfile_type type) + { +@@ -287,6 +292,14 @@ wgnutls_read_timeout (int fd, char *buf, int bufsize, void *arg, double timeout) + if ((ret = _do_handshake (ctx->session, fd, timeout)) == 0) + ret = GNUTLS_E_AGAIN; /* restart reading */ + } ++#if GNUTLS_VERSION_NUMBER >= 0x030604 ++ if (!timed_out && ret == GNUTLS_E_REAUTH_REQUEST) ++ { ++ DEBUGP (("GnuTLS: *** re-authentication while reading\n")); ++ if ((ret = _do_reauth (ctx->session, fd, timeout)) == 0) ++ ret = GNUTLS_E_AGAIN; /* restart reading */ ++ } ++#endif + } + } + while (ret == GNUTLS_E_INTERRUPTED || (ret == GNUTLS_E_AGAIN && !timed_out)); +@@ -519,6 +532,84 @@ _do_handshake (gnutls_session_t session, int fd, double timeout) + return err; + } + ++#if GNUTLS_VERSION_NUMBER >= 0x030604 ++static int ++_do_reauth (gnutls_session_t session, int fd, double timeout) ++{ ++#ifdef F_GETFL ++ int flags = 0; ++#endif ++ int err; ++ ++ if (timeout) ++ { ++#ifdef F_GETFL ++ flags = fcntl (fd, F_GETFL, 0); ++ if (flags < 0) ++ return flags; ++ if (fcntl (fd, F_SETFL, flags | O_NONBLOCK)) ++ return -1; ++#else ++ /* XXX: Assume it was blocking before. */ ++ const int one = 1; ++ if (ioctl (fd, FIONBIO, &one) < 0) ++ return -1; ++#endif ++ } ++ ++ /* We don't stop the handshake process for non-fatal errors */ ++ do ++ { ++ err = gnutls_reauth (session, 0); ++ ++ if (timeout && err == GNUTLS_E_AGAIN) ++ { ++ if (gnutls_record_get_direction (session)) ++ { ++ /* wait for writeability */ ++ err = select_fd (fd, timeout, WAIT_FOR_WRITE); ++ } ++ else ++ { ++ /* wait for readability */ ++ err = select_fd (fd, timeout, WAIT_FOR_READ); ++ } ++ ++ if (err <= 0) ++ { ++ if (err == 0) ++ { ++ errno = ETIMEDOUT; ++ err = -1; ++ } ++ break; ++ } ++ ++ err = GNUTLS_E_AGAIN; ++ } ++ else if (err < 0) ++ { ++ logprintf (LOG_NOTQUIET, "GnuTLS: %s\n", gnutls_strerror (err)); ++ } ++ } ++ while (err && gnutls_error_is_fatal (err) == 0); ++ ++ if (timeout) ++ { ++#ifdef F_GETFL ++ if (fcntl (fd, F_SETFL, flags) < 0) ++ return -1; ++#else ++ const int zero = 0; ++ if (ioctl (fd, FIONBIO, &zero) < 0) ++ return -1; ++#endif ++ } ++ ++ return err; ++} ++#endif ++ + static const char * + _sni_hostname(const char *hostname) + { +@@ -655,7 +746,12 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session) + gnutls_session_t session; + int err; + ++#if GNUTLS_VERSION_NUMBER >= 0x030604 ++ // enable support of TLS1.3 post-handshake authentication ++ gnutls_init (&session, GNUTLS_CLIENT | GNUTLS_POST_HANDSHAKE_AUTH); ++#else + gnutls_init (&session, GNUTLS_CLIENT); ++#endif + + /* We set the server name but only if it's not an IP address. */ + if (! is_valid_ip_address (hostname)) +-- +2.17.2 + diff --git a/SOURCES/wget-1.19.5-ca-cert-too-verbose.patch b/SOURCES/wget-1.19.5-ca-cert-too-verbose.patch new file mode 100644 index 0000000..8794fc1 --- /dev/null +++ b/SOURCES/wget-1.19.5-ca-cert-too-verbose.patch @@ -0,0 +1,52 @@ +From 706e71564cadc7192ac21efbf51b661c967f35b5 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Tue, 24 Mar 2020 13:18:40 +0100 +Subject: [PATCH] Don't print message about loading crl or ca-cert files with --no-verbose + +* src/gnutls.c (ssl_init): Use LOG_VERBOSE verbosity for informative + message related to loading CRL or CA certificate file. + +Before change [1], wget didn't produce any output related to loading CA +certificates when --no-verbose option has been used. When --no-verbose +option is used, only error messages and basic information should get +printed. Information about loading CRL or CA certificate is probably not +a basic information. Any error when loading the CRL or CA certificate +will be still printed with --no-verbose. + +Some users rely on wget not printing such information and they consider +it a regression. + +Reported as https://bugzilla.redhat.com/show_bug.cgi?id=1807267 + +[1] http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e4a8fe84e2b813b65d91aec29298eecabe4850a5 + +Signed-off-by: Tomas Hozza +--- + src/gnutls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/gnutls.c b/src/gnutls.c +index e95ecea..7ab1f08 100644 +--- a/src/gnutls.c ++++ b/src/gnutls.c +@@ -172,7 +172,7 @@ ssl_init (void) + else + { + ncerts += rc; +- logprintf (LOG_NOTQUIET, _ ("Loaded CA certificate '%s'\n"), opt.ca_cert); ++ logprintf (LOG_VERBOSE, _ ("Loaded CA certificate '%s'\n"), opt.ca_cert); + } + } + +@@ -186,7 +186,7 @@ ssl_init (void) + return false; + } + +- logprintf (LOG_NOTQUIET, _ ("Loaded CRL file '%s'\n"), opt.crl_file); ++ logprintf (LOG_VERBOSE, _ ("Loaded CRL file '%s'\n"), opt.crl_file); + } + + DEBUGP (("Certificates loaded: %d\n", ncerts)); +-- +libgit2 0.28.2 + diff --git a/SOURCES/wget-1.19.5-covscan-important-issues.patch b/SOURCES/wget-1.19.5-covscan-important-issues.patch new file mode 100644 index 0000000..0b11e13 --- /dev/null +++ b/SOURCES/wget-1.19.5-covscan-important-issues.patch @@ -0,0 +1,376 @@ +From b24351183ec574f81c729cbb3286aceaee3f03c8 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Mon, 30 Jul 2018 12:20:27 +0200 +Subject: [PATCH 1/6] * src/ftp.c (getftp): Fix RESOURCE LEAK found by Coverity + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/ftp.c:1493: alloc_fn: Storage is returned from allocation function "fopen". +wget-1.19.5/src/ftp.c:1493: var_assign: Assigning: "fp" = storage returned from "fopen(con->target, "wb")". +wget-1.19.5/src/ftp.c:1811: leaked_storage: Variable "fp" going out of scope leaks the storage it points to. +\# 1809| if (fp && !output_stream) +\# 1810| fclose (fp); +\# 1811|-> return err; +\# 1812| } +\# 1813| + +It can happen, that "if (!output_stream || con->cmd & DO_LIST)" on line #1398 can be true, even though "output_stream != NULL". In this case a new file is opened to "fp". Later it may happen in the FTPS branch, that some error will occure and code will jump to label "exit_error". In "exit_error", the "fp" is closed only if "output_stream == NULL". However this may not be true as described earlier and "fp" leaks. + +On line #1588, there is the following conditional free of "fp": + + /* Close the local file. */ + if (!output_stream || con->cmd & DO_LIST) + fclose (fp); + +Therefore the conditional at the end of the function after "exit_error" label should be modified to: + + if (fp && (!output_stream || con->cmd & DO_LIST)) + fclose (fp); + +This will ensure that "fp" does not leak in any case it sould be opened. + +Signed-off-by: Tomas Hozza +--- + src/ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ftp.c b/src/ftp.c +index 69148936..daaae939 100644 +--- a/src/ftp.c ++++ b/src/ftp.c +@@ -1806,7 +1806,7 @@ Error in server response, closing control connection.\n")); + exit_error: + + /* If fp is a regular file, close and try to remove it */ +- if (fp && !output_stream) ++ if (fp && (!output_stream || con->cmd & DO_LIST)) + fclose (fp); + return err; + } +-- +2.17.1 + + +From b8be904ac7c25387672b0aa39f7cba699bffc48e Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Mon, 30 Jul 2018 15:38:45 +0200 +Subject: [PATCH 2/6] * src/http.c (check_auth): Fix RESOURCE LEAK found by + Coverity + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/http.c:2434: alloc_fn: Storage is returned from allocation function "xmalloc". +wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc". +wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)". +wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p". +wget-1.19.5/src/http.c:2434: var_assign: Assigning: "auth_stat" = storage returned from "xmalloc(4UL)". +wget-1.19.5/src/http.c:2446: noescape: Resource "auth_stat" is not freed or pointed-to in "create_authorization_line". +wget-1.19.5/src/http.c:5203:70: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "auth_err". +wget-1.19.5/src/http.c:2476: leaked_storage: Variable "auth_stat" going out of scope leaks the storage it points to. +\# 2474| /* Creating the Authorization header went wrong */ +\# 2475| } +\# 2476|-> } +\# 2477| else +\# 2478| { + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/http.c:2431: alloc_fn: Storage is returned from allocation function "url_full_path". +wget-1.19.5/src/url.c:1105:19: alloc_fn: Storage is returned from allocation function "xmalloc". +wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc". +wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)". +wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p". +wget-1.19.5/src/url.c:1105:19: var_assign: Assigning: "full_path" = "xmalloc(length + 1)". +wget-1.19.5/src/url.c:1107:3: noescape: Resource "full_path" is not freed or pointed-to in function "full_path_write". +wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where". +wget-1.19.5/src/url.c:1110:3: return_alloc: Returning allocated memory "full_path". +wget-1.19.5/src/http.c:2431: var_assign: Assigning: "pth" = storage returned from "url_full_path(u)". +wget-1.19.5/src/http.c:2446: noescape: Resource "pth" is not freed or pointed-to in "create_authorization_line". +wget-1.19.5/src/http.c:5203:40: noescape: "create_authorization_line(char const *, char const *, char const *, char const *, char const *, _Bool *, uerr_t *)" does not free or save its parameter "path". +wget-1.19.5/src/http.c:2476: leaked_storage: Variable "pth" going out of scope leaks the storage it points to. +\# 2474| /* Creating the Authorization header went wrong */ +\# 2475| } +\# 2476|-> } +\# 2477| else +\# 2478| { + +Both "pth" and "auth_stat" are allocated in "check_auth()" function. These are used for creating the HTTP Authorization Request header via "create_authorization_line()" function. In case the creation went OK (auth_err == RETROK), then the memory previously allocated to "pth" and "auth_stat" is freed. However if the creation failed, then the memory is never freed and it leaks. + +Signed-off-by: Tomas Hozza +--- + src/http.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/http.c b/src/http.c +index 093be167..4e0d467a 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -2451,6 +2451,8 @@ check_auth (const struct url *u, char *user, char *passwd, struct response *resp + auth_stat); + + auth_err = *auth_stat; ++ xfree (auth_stat); ++ xfree (pth); + if (auth_err == RETROK) + { + request_set_header (req, "Authorization", value, rel_value); +@@ -2464,8 +2466,6 @@ check_auth (const struct url *u, char *user, char *passwd, struct response *resp + register_basic_auth_host (u->host); + } + +- xfree (pth); +- xfree (auth_stat); + *retry = true; + goto cleanup; + } +-- +2.17.1 + + +From dfef92bac3997b9848e86d84a843d5d7dde4fd99 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Tue, 31 Jul 2018 16:58:12 +0200 +Subject: [PATCH 3/6] * src/http.c (http_loop): Fix RESOURCE LEAK found by + Coverity + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/http.c:4486: alloc_fn: Storage is returned from allocation function "url_string". +wget-1.19.5/src/url.c:2248:3: alloc_fn: Storage is returned from allocation function "xmalloc". +wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc". +wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)". +wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p". +wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "result" = "xmalloc(size)". +wget-1.19.5/src/url.c:2248:3: var_assign: Assigning: "p" = "result". +wget-1.19.5/src/url.c:2250:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] +wget-1.19.5/src/url.c:2253:7: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] +wget-1.19.5/src/url.c:2257:11: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] +wget-1.19.5/src/url.c:2264:3: noescape: Resource "p" is not freed or pointed-to in function "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] +wget-1.19.5/src/url.c:2270:7: identity_transfer: Passing "p" as argument 1 to function "number_to_string", which returns an offset off that argument. +wget-1.19.5/src/utils.c:1776:11: var_assign_parm: Assigning: "p" = "buffer". +wget-1.19.5/src/utils.c:1847:3: return_var: Returning "p", which is a copy of a parameter. +wget-1.19.5/src/url.c:2270:7: noescape: Resource "p" is not freed or pointed-to in function "number_to_string". +wget-1.19.5/src/utils.c:1774:25: noescape: "number_to_string(char *, wgint)" does not free or save its parameter "buffer". +wget-1.19.5/src/url.c:2270:7: var_assign: Assigning: "p" = "number_to_string(p, url->port)". +wget-1.19.5/src/url.c:2273:3: noescape: Resource "p" is not freed or pointed-to in function "full_path_write". +wget-1.19.5/src/url.c:1078:47: noescape: "full_path_write(struct url const *, char *)" does not free or save its parameter "where". +wget-1.19.5/src/url.c:2287:3: return_alloc: Returning allocated memory "result". +wget-1.19.5/src/http.c:4486: var_assign: Assigning: "hurl" = storage returned from "url_string(u, URL_AUTH_HIDE_PASSWD)". +wget-1.19.5/src/http.c:4487: noescape: Resource "hurl" is not freed or pointed-to in "logprintf". +wget-1.19.5/src/http.c:4513: leaked_storage: Variable "hurl" going out of scope leaks the storage it points to. +\# 4511| { +\# 4512| printwhat (count, opt.ntry); +\# 4513|-> continue; +\# 4514| } +\# 4515| else + +There are two conditional branches, which call continue, without freeing memory potentially allocated and pointed to by"hurl" pointer. In fase "!opt.verbose" is True and some of the appropriate conditions in the following if/else if construction, in which "continue" is called, are also true, then the memory allocated to "hurl" will leak. + +Signed-off-by: Tomas Hozza +--- + src/http.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/http.c b/src/http.c +index 4e0d467a..46fde6f2 100644 +--- a/src/http.c ++++ b/src/http.c +@@ -4492,6 +4492,7 @@ http_loop (const struct url *u, struct url *original_url, char **newloc, + && (hstat.statcode == 500 || hstat.statcode == 501)) + { + got_head = true; ++ xfree (hurl); + continue; + } + /* Maybe we should always keep track of broken links, not just in +@@ -4510,6 +4511,7 @@ Remote file does not exist -- broken link!!!\n")); + else if (check_retry_on_http_error (hstat.statcode)) + { + printwhat (count, opt.ntry); ++ xfree (hurl); + continue; + } + else +-- +2.17.1 + + +From c045cdded4e3850724d8bb3a655852948e62c0df Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 2 Aug 2018 13:49:52 +0200 +Subject: [PATCH 4/6] * src/utils.c (open_stat): Fix RESOURCE LEAK found by + Coverity + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/utils.c:914: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] +wget-1.19.5/src/utils.c:914: var_assign: Assigning: "fd" = handle returned from "open(fname, flags, mode)". +wget-1.19.5/src/utils.c:921: noescape: Resource "fd" is not freed or pointed-to in "fstat". [Note: The source code implementation of the function has been overridden by a builtin model.] +wget-1.19.5/src/utils.c:924: leaked_handle: Handle variable "fd" going out of scope leaks the handle. +\# 922| { +\# 923| logprintf (LOG_NOTQUIET, _("Failed to stat file %s, error: %s\n"), fname, strerror(errno)); +\# 924|-> return -1; +\# 925| } +\# 926| #if !(defined(WINDOWS) || defined(__VMS)) + +This seems to be a real issue, since the opened file descriptor in "fd" +would leak. There is also additional check below the "fstat" call, which +closes the opened "fd". + +Signed-off-by: Tomas Hozza +--- + src/utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/utils.c b/src/utils.c +index 0cb905ad..c6258083 100644 +--- a/src/utils.c ++++ b/src/utils.c +@@ -921,6 +921,7 @@ open_stat(const char *fname, int flags, mode_t mode, file_stats_t *fstats) + if (fstat (fd, &fdstats) == -1) + { + logprintf (LOG_NOTQUIET, _("Failed to stat file %s, error: %s\n"), fname, strerror(errno)); ++ close (fd); + return -1; + } + #if !(defined(WINDOWS) || defined(__VMS)) +-- +2.17.1 + + +From 8b451f9f21cc1b00d1a08116b542fb7bd7589405 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Fri, 3 Aug 2018 16:19:20 +0200 +Subject: [PATCH 5/6] * src/warc.c (warc_write_start_record): Fix potential + RESOURCE LEAK + +In warc_write_start_record() function, the reutrn value of dup() is +directly used in gzdopen() call and not stored anywhere. However the +zlib documentation says that "The duplicated descriptor should be saved +to avoid a leak, since gzdopen does not close fd if it fails." [1]. +This change stores the FD in a variable and closes it in case gzopen() +fails. + +[1] https://www.zlib.net/manual.html + +Error: RESOURCE_LEAK (CWE-772): +wget-1.19.5/src/warc.c:217: open_fn: Returning handle opened by "dup". +wget-1.19.5/src/warc.c:217: leaked_handle: Failing to save or close handle opened by "dup(fileno(warc_current_file))" leaks it. +\# 215| +\# 216| /* Start a new GZIP stream. */ +\# 217|-> warc_current_gzfile = gzdopen (dup (fileno (warc_current_file)), "wb9"); +\# 218| warc_current_gzfile_uncompressed_size = 0; +\# 219| + +Signed-off-by: Tomas Hozza +--- + src/warc.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/warc.c b/src/warc.c +index 3482cf3b..5ebd04d7 100644 +--- a/src/warc.c ++++ b/src/warc.c +@@ -203,6 +203,7 @@ warc_write_start_record (void) + /* Start a GZIP stream, if required. */ + if (opt.warc_compression_enabled) + { ++ int dup_fd; + /* Record the starting offset of the new record. */ + warc_current_gzfile_offset = ftello (warc_current_file); + +@@ -214,13 +215,23 @@ warc_write_start_record (void) + fflush (warc_current_file); + + /* Start a new GZIP stream. */ +- warc_current_gzfile = gzdopen (dup (fileno (warc_current_file)), "wb9"); ++ dup_fd = dup (fileno (warc_current_file)); ++ if (dup_fd < 0) ++ { ++ logprintf (LOG_NOTQUIET, ++_("Error duplicating WARC file file descriptor.\n")); ++ warc_write_ok = false; ++ return false; ++ } ++ ++ warc_current_gzfile = gzdopen (dup_fd, "wb9"); + warc_current_gzfile_uncompressed_size = 0; + + if (warc_current_gzfile == NULL) + { + logprintf (LOG_NOTQUIET, + _("Error opening GZIP stream to WARC file.\n")); ++ close (dup_fd); + warc_write_ok = false; + return false; + } +-- +2.17.1 + + +From 2f451dbf4e83c751f6bbba7ed26d90bf275fcbf7 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Fri, 24 Aug 2018 16:57:37 +0200 +Subject: [PATCH 6/6] * src/warc.c (warc_write_cdx_record): Fix RESOURCE LEAK + found by Coverity + +Error: RESOURCE_LEAK (CWE-772): - REAL ERROR +wget-1.19.5/src/warc.c:1376: alloc_fn: Storage is returned from allocation function "url_escape". +wget-1.19.5/src/url.c:284:3: alloc_fn: Storage is returned from allocation function "url_escape_1". +wget-1.19.5/src/url.c:255:3: alloc_fn: Storage is returned from allocation function "xmalloc". +wget-1.19.5/lib/xmalloc.c:41:11: alloc_fn: Storage is returned from allocation function "malloc". +wget-1.19.5/lib/xmalloc.c:41:11: var_assign: Assigning: "p" = "malloc(n)". +wget-1.19.5/lib/xmalloc.c:44:3: return_alloc: Returning allocated memory "p". +wget-1.19.5/src/url.c:255:3: var_assign: Assigning: "newstr" = "xmalloc(newlen + 1)". +wget-1.19.5/src/url.c:258:3: var_assign: Assigning: "p2" = "newstr". +wget-1.19.5/src/url.c:275:3: return_alloc: Returning allocated memory "newstr". +wget-1.19.5/src/url.c:284:3: return_alloc_fn: Directly returning storage allocated by "url_escape_1". +wget-1.19.5/src/warc.c:1376: var_assign: Assigning: "redirect_location" = storage returned from "url_escape(redirect_location)". +wget-1.19.5/src/warc.c:1381: noescape: Resource "redirect_location" is not freed or pointed-to in "fprintf". +wget-1.19.5/src/warc.c:1387: leaked_storage: Returning without freeing "redirect_location" leaks the storage that it points to. +\# 1385| fflush (warc_current_cdx_file); +\# 1386| +\# 1387|-> return true; +\# 1388| } +\# 1389| + +url_escape() really returns a newly allocated memory and it leaks when the warc_write_cdx_record() returns. The memory returned from url_escape() is usually stored in a temporary variable in other parts of the project and then freed. I took the same approach. + +Signed-off-by: Tomas Hozza +--- + src/warc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/warc.c b/src/warc.c +index 5ebd04d7..2eb74966 100644 +--- a/src/warc.c ++++ b/src/warc.c +@@ -1364,6 +1364,7 @@ warc_write_cdx_record (const char *url, const char *timestamp_str, + char timestamp_str_cdx[15]; + char offset_string[MAX_INT_TO_STRING_LEN(off_t)]; + const char *checksum; ++ char *tmp_location = NULL; + + memcpy (timestamp_str_cdx , timestamp_str , 4); /* "YYYY" "-" */ + memcpy (timestamp_str_cdx + 4, timestamp_str + 5, 2); /* "mm" "-" */ +@@ -1382,18 +1383,19 @@ warc_write_cdx_record (const char *url, const char *timestamp_str, + if (mime_type == NULL || strlen(mime_type) == 0) + mime_type = "-"; + if (redirect_location == NULL || strlen(redirect_location) == 0) +- redirect_location = "-"; ++ tmp_location = strdup ("-"); + else +- redirect_location = url_escape(redirect_location); ++ tmp_location = url_escape(redirect_location); + + number_to_string (offset_string, offset); + + /* Print the CDX line. */ + fprintf (warc_current_cdx_file, "%s %s %s %s %d %s %s - %s %s %s\n", url, + timestamp_str_cdx, url, mime_type, response_code, checksum, +- redirect_location, offset_string, warc_current_filename, ++ tmp_location, offset_string, warc_current_filename, + response_uuid); + fflush (warc_current_cdx_file); ++ free (tmp_location); + + return true; + } +-- +2.17.1 + diff --git a/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch b/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch new file mode 100644 index 0000000..c36d6fe --- /dev/null +++ b/SOURCES/wget-1.19.5-no_proxy-dot-prefix.patch @@ -0,0 +1,28 @@ +commit fd85ac9cc623847e9d94d9f9241ab34e2c146cbf +Author: Luiz Angelo Daros de Luca +Date: Thu Oct 25 17:39:52 2018 -0300 + + * src/host.c (sufmatch): Fix dot-prefixed domain matching + + Current sufmatch does not match when domain is dot-prefixed. + The example of no_proxy in man (.mit.edu) does use a dot-prefixed + domain. + + Signed-off-by: Luiz Angelo Daros de Luca + Copyright-paperwork-exempt: Yes + +diff --git a/src/host.c b/src/host.c +index b42cd6e8..2bf848f3 100644 +--- a/src/host.c ++++ b/src/host.c +@@ -1033,8 +1033,9 @@ sufmatch (const char **list, const char *what) + /* Domain or subdomain match + * k == -1: exact match + * k >= 0 && what[k] == '.': subdomain match ++ * k >= 0 && list[i][0] == '.': dot-prefixed subdomain match + */ +- if (j == -1 && (k == -1 || what[k] == '.')) ++ if (j == -1 && (k == -1 || what[k] == '.' || list[i][0] == '.')) + return true; + } + diff --git a/SOURCES/wget-1.19.5-no_proxy-tests.patch b/SOURCES/wget-1.19.5-no_proxy-tests.patch new file mode 100644 index 0000000..b38dcc1 --- /dev/null +++ b/SOURCES/wget-1.19.5-no_proxy-tests.patch @@ -0,0 +1,285 @@ +From dea0f6272889adcff846144fff5714c076067b16 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 12:46:15 +0100 +Subject: [PATCH 1/3] testenv: HTTPTest.begin() should return exit value + +* testenv/test/http_test.py: Ensure that HTTPTest.begin() always retuns a value + +Previously the HTTPTest.begin() method always returned None. However this is not consistent with the begin() implementation of the parent class (BaseTest). This change ensures that HTTPTest.begin() returns a value. + +Signed-off-by: Tomas Hozza +--- + testenv/test/http_test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testenv/test/http_test.py b/testenv/test/http_test.py +index fef0c2ef..462ac6e7 100644 +--- a/testenv/test/http_test.py ++++ b/testenv/test/http_test.py +@@ -42,7 +42,7 @@ class HTTPTest(BaseTest): + print_green("Test Passed.") + else: + self.tests_passed = False +- super(HTTPTest, self).begin() ++ return super(HTTPTest, self).begin() + + def instantiate_server_by(self, protocol): + server = {HTTP: HTTPd, +-- +2.21.0 + + +From 7fba12cf25ff7cc352f0f5df7d91670df7035823 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 13:01:44 +0100 +Subject: [PATCH 2/3] testenv: Allow definition of environment variables for + wget execuion + +* testenv/README: Added description for new EnvironmentVariable hook +* testenv/conf/environment_variable.py: Added implementation of EnvironmentVariable hook +* testenv/test/base_test.py: Modified exec_wget() to enable use of EnvironmentVariable hook + +Added new test hook called EnvironmentVariables, for defining environment variables when wget is executed in tests. This is handy for testing environment variables, which are accepted by wget. + +Signed-off-by: Tomas Hozza +--- + testenv/README | 3 +++ + testenv/conf/environment_variables.py | 14 ++++++++++++++ + testenv/test/base_test.py | 6 +++++- + 3 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 testenv/conf/environment_variables.py + +diff --git a/testenv/README b/testenv/README +index aca8cdda..d4fabddd 100644 +--- a/testenv/README ++++ b/testenv/README +@@ -224,6 +224,9 @@ executed. The currently supported options are: + file. While all Download URL's are passed to Urls, a notable exception is + when in-url authentication is used. In such a case, the URL is specified in + the WgetCommands string. ++ * EnvironmentVariables: A dictionary with key-value items, which will be ++ defined as environment variables during the execution of wget command in ++ test. + + Post-Test Hooks: + ================================================================================ +diff --git a/testenv/conf/environment_variables.py b/testenv/conf/environment_variables.py +new file mode 100644 +index 00000000..323c051c +--- /dev/null ++++ b/testenv/conf/environment_variables.py +@@ -0,0 +1,14 @@ ++from conf import hook ++ ++""" Test Option: EnvironmentVariables ++This hook is used to define environment variables used for execution of wget ++command in test.""" ++ ++ ++@hook(alias='EnvironmentVariables') ++class URLs: ++ def __init__(self, envs): ++ self.envs = envs ++ ++ def __call__(self, test_obj): ++ test_obj.envs.update(**self.envs) +diff --git a/testenv/test/base_test.py b/testenv/test/base_test.py +index dbf4678f..04a6f748 100644 +--- a/testenv/test/base_test.py ++++ b/testenv/test/base_test.py +@@ -51,6 +51,7 @@ class BaseTest: + + self.wget_options = '' + self.urls = [] ++ self.envs = dict() + + self.tests_passed = True + self.ready = False +@@ -97,12 +98,15 @@ class BaseTest: + cmd_line = self.gen_cmd_line() + params = shlex.split(cmd_line) + print(params) ++ envs = {"HOME": os.getcwd()} ++ envs.update(**self.envs) ++ print(envs) + + if os.getenv("SERVER_WAIT"): + time.sleep(float(os.getenv("SERVER_WAIT"))) + + try: +- ret_code = call(params, env={"HOME": os.getcwd()}) ++ ret_code = call(params, env=envs) + except FileNotFoundError: + raise TestFailed("The Wget Executable does not exist at the " + "expected path.") +-- +2.21.0 + + +From 0d50becc19ba07f34157b2842ca97675cc95fc1a Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 7 Nov 2019 13:11:30 +0100 +Subject: [PATCH 3/3] testenv: Add test for handling of no_proxy environment + variable + +* testenv/Test-no_proxy-env.py: Added new test for no_proxy env + +Added new test with 5 cases, which are testing various combinations of no_proxy environment variable definition and requested URLs + +Signed-off-by: Tomas Hozza +--- + testenv/Test-no_proxy-env.py | 142 +++++++++++++++++++++++++++++++++++ + 1 file changed, 142 insertions(+) + create mode 100755 testenv/Test-no_proxy-env.py + +diff --git a/testenv/Test-no_proxy-env.py b/testenv/Test-no_proxy-env.py +new file mode 100755 +index 00000000..ea7f38c4 +--- /dev/null ++++ b/testenv/Test-no_proxy-env.py +@@ -0,0 +1,142 @@ ++#!/usr/bin/env python3 ++from sys import exit ++from test.http_test import HTTPTest ++from test.base_test import HTTP ++from misc.wget_file import WgetFile ++ ++""" ++ This test ensures, that domains with and without leftmost dot defined in ++ no_proxy environment variable are accepted by wget. The idea is to use ++ non-existing proxy server address and detect whether files are downloaded ++ when proxy settings are omitted based on no_proxy environment variable ++ value. ++ ++ current wget's behavior: ++ - "no_proxy=.mit.edu" ++ - will match the domain and subdomains e.g. "www.mit.edu" or "www.subdomain.mit.edu" (Case #4) ++ - will NOT match the host "mit.edu" (Case #3) ++ - "no_proxy=mit.edu" ++ - will match the domain and subdomains e.g. "www.mit.edu" or "www.subdomain.mit.edu" (Case #2) ++ - will match the host "mit.edu" (Case #1) ++ - downside: can not match only the host ++""" ++# File Definitions ++File1 = "Would you like some Tea?" ++File2 = "With lemon or cream?" ++ ++A_File = WgetFile ("File1", File1) ++B_File = WgetFile ("File2", File2) ++ ++WGET_URLS = [["File1", "File2"]] ++WGET_ENVS = { ++ "http_proxy": "nonexisting.localhost:8080", ++ "no_proxy": "working1.localhost,.working2.localhost" ++} ++ ++Servers = [HTTP] ++Files = [[A_File, B_File]] ++ ++ExpectedReturnCodeWorking = 0 ++ExpectedReturnCodeNotWorking = 4 # network error (non-existing proxy address) ++ ++ExpectedDownloadedFilesWorking = [A_File, B_File] ++ ++# Pre and Post Test Hooks ++test_options = { ++ "Urls" : WGET_URLS, ++ "EnvironmentVariables": WGET_ENVS ++} ++post_test_working = { ++ "ExpectedFiles" : ExpectedDownloadedFilesWorking, ++ "ExpectedRetcode" : ExpectedReturnCodeWorking ++} ++post_test_not_working = { ++ "ExpectedRetcode" : ExpectedReturnCodeNotWorking ++} ++ ++# Case #1: ++# - Requested domain matches exactly the domain definition in no_proxy. ++# - Domain definition in no_proxy is NOT dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_1 = { ++ "ServerFiles" : Files, ++ "Domains" : ["working1.localhost"] ++} ++ ++err_case_1 = HTTPTest ( ++ pre_hook=pre_case_1, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #2: ++# - Requested domain is sub-domain of a domain definition in no_proxy. ++# - Domain definition in no_proxy is NOT dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_2 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.working1.localhost"] ++} ++ ++err_case_2 = HTTPTest ( ++ pre_hook=pre_case_2, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #3: ++# - Requested domain matches exactly the domain definition in no_proxy, ++# except for the leftmost dot (".") in no_proxy domain definition. ++# - Domain definition in no_proxy IS dot-prefixed ++# Expected result: proxy settings apply and files are downloaded. This is ++# due to the mismatch in leftmost dot. ++# NOTE: This is inconsistent with curl's behavior, but has less drawbacks. ++pre_case_3 = { ++ "ServerFiles" : Files, ++ "Domains" : ["working2.localhost"] ++} ++ ++err_case_3 = HTTPTest ( ++ pre_hook=pre_case_3, ++ test_params=test_options, ++ post_hook=post_test_not_working, ++ protocols=Servers ++).begin () ++ ++# Case #4: ++# - Requested domain is sub-domain of a domain definition in no_proxy. ++# - Domain definition in no_proxy IS dot-prefixed ++# Expected result: proxy settings don't apply and files are downloaded. ++pre_case_4 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.working2.localhost"] ++} ++ ++err_case_4 = HTTPTest ( ++ pre_hook=pre_case_4, ++ test_params=test_options, ++ post_hook=post_test_working, ++ protocols=Servers ++).begin () ++ ++# Case #5 ++# - Requested domain does not match a domain definition in no_proxy. ++# - Requested domain is NOT sub-domain of a domain definition in no_proxy. ++# Expected result: proxy settings apply and files are NOT downloaded due to ++# network error when using proxy with non-existing URL. ++pre_case_5 = { ++ "ServerFiles" : Files, ++ "Domains" : ["www.example.localhost"] ++} ++ ++err_case_5 = HTTPTest ( ++ pre_hook=pre_case_5, ++ test_params=test_options, ++ post_hook=post_test_not_working, ++ protocols=Servers ++).begin () ++ ++# Combine error codes from all test cases ++exit (max(err_case_1, err_case_2, err_case_3, err_case_4, err_case_5)) +-- +2.21.0 + diff --git a/SPECS/wget.spec b/SPECS/wget.spec new file mode 100644 index 0000000..45c44e0 --- /dev/null +++ b/SPECS/wget.spec @@ -0,0 +1,675 @@ +Summary: A utility for retrieving files using the HTTP or FTP protocols +Name: wget +Version: 1.19.5 +Release: 10%{?dist} +License: GPLv3+ +Group: Applications/Internet +Url: http://www.gnu.org/software/wget/ +Source: ftp://ftp.gnu.org/gnu/wget/wget-%{version}.tar.gz + +Patch1: wget-1.17-path.patch +Patch2: wget-1.19.5-Don-t-limit-the-test-suite-HTTPS-server-to-TLSv1.patch +Patch3: wget-1.19.5-covscan-important-issues.patch +Patch4: wget-1.19.5-Add-TLS-1.3-support-for-GnuTLS.patch +Patch5: wget-1.19.5-Enable-post-handshake-auth-under-gnutls-on-TLS1.3.patch +Patch6: wget-1.19.5-Dont-use-extended-attributes---xattr-by-default.patch +Patch7: wget-1.19.5-Dont-save-userpw-with---xattr.patch +# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c +# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=562eacb76a2b64d5dc80a443f0f739bc9ef76c17 +Patch8: wget-1.19.5-CVE-2019-5953.patch +# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd85ac9cc623847e9d94d9f9241ab34e2c146cbf +Patch9: wget-1.19.5-no_proxy-dot-prefix.patch +Patch10: wget-1.19.5-no_proxy-tests.patch +# http://git.savannah.gnu.org/cgit/wget.git/commit/?id=706e71564cadc7192ac21efbf51b661c967f35b5 +Patch11: wget-1.19.5-ca-cert-too-verbose.patch + +Provides: webclient +Provides: bundled(gnulib) +Requires(post): /sbin/install-info +Requires(preun): /sbin/install-info +# needed for test suite +BuildRequires: perl-HTTP-Daemon, python3 +BuildRequires: gnutls-devel, pkgconfig, texinfo, gettext, autoconf, libidn2-devel, libuuid-devel, perl-podlators, libpsl-devel, libmetalink-devel, gpgme-devel, gcc, zlib-devel + +%description +GNU Wget is a file retrieval utility which can use either the HTTP or +FTP protocols. Wget features include the ability to work in the +background while you are logged out, recursive retrieval of +directories, file name wildcard matching, remote file timestamp +storage and comparison, use of Rest with FTP servers and Range with +HTTP servers to retrieve files over slow or unstable connections, +support for Proxy servers, and configurability. + +%prep +%setup -q + +# modify the package string +sed -i "s|\(PACKAGE_STRING='wget .*\)'|\1 (Red Hat modified)'|" configure +grep "PACKAGE_STRING='wget .* (Red Hat modified)'" configure || exit 1 + +%patch1 -p1 -b .path +%patch2 -p1 -b .tlsv1_testsuite +%patch3 -p1 -b .covscan_imp_issues +%patch4 -p1 -b .tls1_3 +%patch5 -p1 -b .post_auth_tls13 +%patch6 -p1 -b .no_xattr_by_default +%patch7 -p1 -b .no_userpw_in_xattr +%patch8 -p1 -b .CVE-2019-5953 +%patch9 -p1 -b .no_proxy-dot-prefix +%patch10 -p1 -b .no_proxy-test +%patch11 -p1 -b .too_verbose + +%build +%configure \ + --with-ssl=gnutls \ + --with-libpsl \ + --enable-largefile \ + --enable-opie \ + --enable-digest \ + --enable-ntlm \ + --enable-nls \ + --enable-ipv6 \ + --disable-rpath \ + --with-metalink + +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT CFLAGS="$RPM_OPT_FLAGS" +rm -f $RPM_BUILD_ROOT/%{_infodir}/dir + +%find_lang %{name} + +%check +make check + +%post +/sbin/install-info %{_infodir}/wget.info.gz %{_infodir}/dir || : + +%preun +if [ "$1" = 0 ]; then + /sbin/install-info --delete %{_infodir}/wget.info.gz %{_infodir}/dir || : +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %{name}.lang +%defattr(-,root,root) +%doc AUTHORS MAILING-LIST NEWS README COPYING doc/sample.wgetrc +%config(noreplace) %{_sysconfdir}/wgetrc +%{_mandir}/man1/wget.* +%{_bindir}/wget +%{_infodir}/* + +%changelog +* Tue Mar 31 2020 Tomas Hozza - 1.19.5-10 +- Fix wget being too verbose when using --no-verbose and --ca-certificate (#1807267) + +* Thu Nov 21 2019 Tomáš Hozza - 1.19.5-9 +- Fix issue with dot-prefixed domain names in no_proxy ENV (#1763702) + +* Sun Apr 07 2019 Tomas Hozza - 1.19.5-8 +- Fix CVE-2019-5953 (#1696736) + +* Thu Jan 10 2019 Tomas Hozza - 1.19.5-7 +- Fix information exposure in set_file_metadata function in xattr.c (CVE-2018-20483) + +* Fri Oct 12 2018 Tomas Hozza - 1.19.5-6 +- Enable post handshake auth under gnutls on TLS1.3 (#1636903) + +* Wed Oct 03 2018 Tomas Hozza - 1.19.5-5 +- Allow specification of TLSv1_3 in --secure-protocol option (#1623997) + +* Wed Aug 29 2018 Tomas Hozza - 1.19.5-4 +- Add zlib-devel to BuildRequires to enable compression of WARC files (#1623004) + +* Mon Aug 27 2018 Tomas Hozza - 1.19.5-3 +- Fixed resource leaks found by Coverity (#1602729) + +* Fri Aug 10 2018 Tomas Hozza - 1.19.5-2 +- Fix FTBFS due to test suite HTTPS server forcing use of TLSv1 (#1611753) + +* Wed May 09 2018 Tomas Hozza - 1.19.5-1 +- Update to 1.19.5 fixing CVE-2018-0494 + +* Thu Apr 26 2018 Tomas Hozza - 1.19.4-3 +- Added gcc as an explicit BuildRequires + +* Fri Feb 09 2018 Fedora Release Engineering - 1.19.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Jan 22 2018 Tomas Hozza - 1.19.4-1 +- Update to the latest upstream version +- Fix issue with decompressing with broken web servers (#1532233) + +* Fri Dec 08 2017 Tomas Hozza - 1.19.2-2 +- Fix segfault when calling strchr in http.c (#1511562) + +* Fri Oct 27 2017 Tomas Hozza - 1.19.2-1 +- Update to latest upstream version due to CVE-2017-13089 CVE-2017-13090 + +* Mon Oct 09 2017 Troy Dawson - 1.19.1-6 +- Fix FTBFS (#1499876) + +* Thu Aug 03 2017 Fedora Release Engineering - 1.19.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.19.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 31 2017 Tomas Hozza - 1.19.1-3 +- Fixed use of .netrc (#1425097) + +* Fri May 12 2017 Tomas Hozza - 1.19.1-2 +- Fix CVE-2017-6508 (#1429986) + +* Thu Feb 16 2017 Tomas Hozza - 1.19.1-1 +- New upstream version 1.19.1 (#1421398) + +* Fri Feb 10 2017 Tomas Hozza - 1.19-1 +- New upstream version 1.19 (#1419013) +- Use libidn2 instead of libidn (new upstream default) + +* Tue Jul 26 2016 Tomas Hozza - 1.18-2 +- Switched openssl to gnutls for crypto + +* Tue Jun 14 2016 Tomas Hozza - 1.18-1 +- Update to 1.18 + +* Wed May 18 2016 Filip Čáp - 1.17.1-4 +- Added metalink support (#1321334) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.17.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Feb 01 2016 Adam Williamson - 1.17.1-2 +- rebuild for new libpsl + +* Mon Dec 14 2015 Tomas Hozza - 1.17.1-1 +- Update to 1.17.1 + +* Fri Nov 27 2015 Tomas Hozza - 1.17-1 +- Updated to 1.17 + added some additional upstream fixes +- Fixed hardening of wget executable (#1281829) + +* Fri Jun 19 2015 Fedora Release Engineering - 1.16.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Mar 10 2015 Tomas Hozza - 1.16.3-1 +- update to 1.16.3 + +* Wed Mar 04 2015 Tomas Hozza - 1.16.2-1 +- update to 1.16.2 + +* Mon Jan 12 2015 Tomas Hozza - 1.16.1-3 +- Fix wget to accept 5 digit port numbers in epsv responses over ipv6 (#1180777) + +* Tue Dec 16 2014 Tomas Hozza - 1.16.1-2 +- build wget with libpsl support (#1123616) +- Fix NULL pointer dereference in FTP code (#1169022) + +* Thu Dec 11 2014 Tomas Hozza - 1.16.1-1 +- update to 1.16.1 + +* Tue Nov 18 2014 Tomas Hozza - 1.16-3 +- Fix the progress bar issue (#1159643) + +* Mon Nov 03 2014 Jakub Čajka - 1.16-2 +- fix failing tests idn-cmd-utf8 and idn-robots-utf8 +- re-enabled tests + +* Fri Oct 31 2014 Tomas Hozza - 1.16-1 +- update to 1.16 +- fixes CVE-2014-4877 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.15-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Jan 22 2014 Tomas Hozza - 1.15-1 +- Update to 1.15 +- Drop merged patches + +* Mon Oct 21 2013 Tomas Hozza - 1.14-11 +- run test suite during the build + +* Thu Oct 10 2013 Tomas Hozza - 1.14-10 +- remove excessive line for '-nv' option in the manpage (#1017106) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.14-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Tomas Hozza - 1.14-8 +- Fix deadcode and possible use of NULL in vprintf (#913153) +- Add documentation for --regex-type and --preserve-permissions +- Fix --preserve-permissions to work as documented (and expected) +- Fix bug when authenticating using user:password@url syntax (#912358) +- Document and fix --backups option + +* Wed Jul 10 2013 Tomas Hozza - 1.14-7 +- Fix double free of iri->orig_url (#981778) + +* Mon Jun 24 2013 Tomas Hozza - 1.14-6 +- add missing options accept-regex and reject-regex to man page +- fix errors in texi2pod introduced in Perl-5.18 + +* Fri Feb 22 2013 Tomas Hozza - 1.14-5 +- Added BuildRequires: perl-podlators for pod2man +- Patched manpage to silent new Tex errors +- Resolves: (#914571) + +* Fri Feb 15 2013 Fedora Release Engineering - 1.14-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Oct 11 2012 Tomas Hozza 1.14-3 +- Added libuuid-devel to BuildRequires to use libuuid functions + in "src/warc.c" functions (#865421) + +* Wed Oct 10 2012 Tomas Hozza 1.14-2 +- Added libidn-devel to BuildRequires to support IDN domains (#680394) + +* Thu Aug 09 2012 Karsten Hopp 1.14-1 +- Update to wget-1.14 + +* Sun Jul 22 2012 Fedora Release Engineering - 1.13.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 29 2012 Karsten Hopp 1.13.4-4 +- fix timeout if http server doesn't answer to SSL handshake (#860727) + +* Tue May 15 2012 Karsten Hopp 1.13.4-3 +- add virtual provides per https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries + +* Sat Jan 14 2012 Fedora Release Engineering - 1.13.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 16 2011 Jon Ciesla - 1.13.4-1 +- New upstream, BZ 730286. +- Modified path patch. +- subjectAltNames patch upstreamed. +- Specified openssl at config time. + +* Thu Jun 23 2011 Volker Fröhlich - 1.12-4 +- Applied patch to accept subjectAltNames in X509 certificates (#674186) +- New URL (#658969) + +* Mon Feb 07 2011 Fedora Release Engineering - 1.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Nov 18 2009 Karsten Hopp 1.12-2 +- don't provide /usr/share/info/dir + +* Tue Nov 17 2009 Karsten Hopp 1.12-1 +- update to wget-1.12 +- fixes CVE-2009-3490 wget: incorrect verification of SSL certificate + with NUL in name + +* Fri Aug 21 2009 Tomas Mraz - 1.11.4-5 +- rebuilt with new openssl + +* Mon Jul 27 2009 Fedora Release Engineering - 1.11.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 1.11.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sun Jan 18 2009 Tomas Mraz 1.11.4-2 +- rebuild with new openssl + +* Wed Aug 13 2008 Karsten Hopp 1.11.4-1 +- update + +* Wed Jun 04 2008 Karsten Hopp 1.11.3-1 +- wget-1.11.3, downgrades the combination of the -N and -O options + to a warning instead of an error + +* Fri May 09 2008 Karsten Hopp 1.11.2-1 +- wget-1.11.2, fixes #179962 + +* Mon Mar 31 2008 Karsten Hopp 1.11.1-1 +- update to bugfix release 1.11.1, fixes p.e. #433606 + +* Tue Feb 19 2008 Fedora Release Engineering - 1.11-2 +- Autorebuild for GCC 4.3 + +* Tue Dec 04 2007 Karsten Hopp 1.10.2-17 +- rebuild to pick up new openssl SONAME + +* Mon Aug 27 2007 Karsten Hopp 1.10.2-16 +- fix license tag +- rebuild + +* Mon Feb 12 2007 Karsten Hopp 1.10.2-15 +- fix discarding of expired cookies +- escape non-printable characters +- drop to11 patch for now (#223754, #227853, #227498) + +* Mon Feb 05 2007 Karsten Hopp 1.10.2-14 +- shut up rpmlint, even though xx isn't a macro + +* Mon Feb 05 2007 Karsten Hopp 1.10.2-13 +- merge review changes (#226538) + - use version/release/... in buildroot tag + - remove BR perl + - use SMP flags + - use make install instead of %%makeinstall + - include copy of license + - use Requires(post)/Requires(preun) + - use optflags + - remove trailing dot from summary + - change tabs to spaces + +* Thu Jan 18 2007 Karsten Hopp 1.10.2-12 +- don't abort (un)install scriptlets when _excludedocs is set (Ville Skyttä) + +* Wed Jan 10 2007 Karsten Hopp 1.10.2-11 +- add fix for CVE-2006-6719 + +* Fri Dec 08 2006 Karsten Hopp 1.10.2-10 +- fix repeated downloads (Tomas Heinrich, #186195) + +* Thu Dec 07 2006 Karsten Hopp 1.10.2-9 +- add distflag, rebuild + +* Thu Dec 07 2006 Karsten Hopp 1.10.2-8 +- Resolves: #218211 + fix double free corruption + +* Sun Oct 01 2006 Jesse Keating - 1.10.2-7 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 25 2006 Karsten Hopp 1.10.2-6 +- fix resumed downloads (#205723) + +* Wed Jul 12 2006 Jesse Keating - 1.10.2-5.1 +- rebuild + +* Thu Jun 29 2006 Karsten Hopp 1.10.2-5 +- updated german translations from Robert Scheck + +* Tue Jun 27 2006 Karsten Hopp 1.10.2-4 +- upstream patches + +* Fri Feb 10 2006 Jesse Keating - 1.10.2-3.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 1.10.2-3.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Nov 10 2005 Tomas Mraz 1.10.2-3 +- rebuilt against new openssl + +* Tue Oct 25 2005 Karsten Hopp 1.10.2-2 +- use %%{_sysconfdir} (#171555) + +* Sat Oct 15 2005 Florian La Roche +- 1.10.2 + +* Thu Sep 08 2005 Karsten Hopp 1.10.1-7 +- fix builtin help of --load-cookies / --save-cookies (#165408) + +* Wed Sep 07 2005 Karsten Hopp 1.10.1-6 +- convert changelog to UTF-8 (#159585) + +* Mon Sep 05 2005 Karsten Hopp 1.10.1-5 +- update +- drop patches which are already in the upstream sources + +* Wed Jul 13 2005 Karsten Hopp 1.10-5 +- update german translation + +* Mon Jul 11 2005 Karsten Hopp 1.10-4 +- update german translation (Robert Scheck) + +* Tue Jul 05 2005 Karsten Hopp 1.10-3 +- fix minor documentation bug +- fix --no-cookies crash + +* Mon Jul 04 2005 Karsten Hopp 1.10-2 +- update to wget-1.10 + - drop passive-ftp patch, already in 1.10 + - drop CVS patch + - drop LFS patch, similar fix in 1.10 + - drop protdir patch, similar fix in 1.10 + - drop actime patch, already in 1.10 + +* Wed Mar 02 2005 Karsten Hopp 1.9.1-22 +- build with gcc-4 + +* Wed Feb 02 2005 Karsten Hopp 1.9.1-21 +- remove old copy of the manpage (#146875, #135597) +- fix garbage in manpage (#117519) + +* Tue Feb 01 2005 Karsten Hopp 1.9.1-20 +- texi2pod doesn't handle texinfo xref's. rewrite some lines so that + the man page doesn't have incomplete sentences anymore (#140470) + +* Mon Jan 31 2005 Karsten Hopp 1.9.1-19 +- Don't set actime to access time of the remote file or tmpwatch might + remove the file again (#146440). Set it to the current time instead. + timestamping checks only modtime, so this should be ok. + +* Thu Jan 20 2005 Karsten Hopp 1.9.1-18 +- add support for --protocol-directories option as documented + in the man page (Ville Skyttä, #145571) + +* Wed Sep 29 2004 Karsten Hopp 1.9.1-17 +- additional LFS patch from Leonid Petrov to fix file lengths in + http downloads + +* Thu Sep 16 2004 Karsten Hopp 1.9.1-16 +- more fixes + +* Tue Sep 14 2004 Karsten Hopp 1.9.1-15 +- added strtol fix from Leonid Petrov, reenable LFS + +* Tue Sep 14 2004 Karsten Hopp 1.9.1-14 +- buildrequires gettext (#132519) + +* Wed Sep 01 2004 Karsten Hopp 1.9.1-13 +- disable LFS patch for now, it breaks normal downloads (123524#c15) + +* Tue Aug 31 2004 Karsten Hopp 1.9.1-12 +- move largefile stuff inside the configure script, it didn't + get appended to CFLAGS + +* Tue Aug 31 2004 Karsten Hopp 1.9.1-11 +- rebuild + +* Tue Aug 31 2004 Karsten Hopp 1.9.1-10 +- fix patch + +* Sun Aug 29 2004 Karsten Hopp 1.9.1-9 +- more cleanups of the manpage (#117519) + +* Fri Aug 27 2004 Karsten Hopp 1.9.1-8 +- rebuild + +* Fri Aug 27 2004 Karsten Hopp 1.9.1-7 +- clean up manpage (#117519) +- buildrequire texinfo (#123780) +- LFS patch, based on wget-LFS-20040630.patch from Leonid Petrov + (#123524, #124628, #115348) + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Mar 11 2004 Karsten Hopp 1.9.1-3 +- fix documentation (#117517) + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Nov 28 2003 Karsten Hopp 1.9.1-3 +- update to -stable CVS +- document the passive ftp default + +* Fri Nov 28 2003 Karsten Hopp 1.9.1-2 +- add patch from -stable CVS + +* Fri Nov 28 2003 Karsten Hopp 1.9.1-1 +- update to 1.9.1 +- remove obsolete patches + +* Mon Aug 04 2003 Karsten Hopp 1.8.2-15.3 +- fix variable usage + +* Tue Jul 22 2003 Nalin Dahyabhai 1.8.2-15.2 +- rebuild + +* Wed Jun 25 2003 Karsten Hopp 1.8.2-15.1 +- rebuilt + +* Wed Jun 25 2003 Karsten Hopp 1.8.2-15 +- default to passive-ftp (#97996) + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed Jun 04 2003 Karsten Hopp 1.8.2-13 +- rebuild + +* Wed Jun 04 2003 Karsten Hopp 1.8.2-12 +- merge debian patch for long URLs +- cleanup filename patch + +* Sun May 11 2003 Karsten Hopp 1.8.2-11 +- rebuild + +* Sun May 11 2003 Karsten Hopp 1.8.2-10 +- upstream fix off-by-one error + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 1.8.2-8 +- rebuild + +* Fri Dec 13 2002 Nalin Dahyabhai +- use openssl pkg-config data, if present +- don't bomb out when building with newer openssl + +* Thu Dec 12 2002 Tim Powers 1.8.2-7 +- rebuild on all arches + +* Tue Nov 19 2002 Tim Powers +- rebuild on all arches + +* Fri Oct 4 2002 Karsten Hopp 1.8.2-5 +- fix directory traversal bug + +* Wed Jul 24 2002 Trond Eivind Glomsrød 1.8.2-3 +- Don't segfault when downloading URLs A-B-A (A-A-B worked) #49859 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Wed May 29 2002 Florian La Roche +- update to 1.8.2 (bug-fix release) + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Mon Apr 29 2002 Florian La Roche +- remove s390 patch, not needed anymore + +* Wed Feb 27 2002 Trond Eivind Glomsrød 1.8.1-4 +- Rebuild + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Fri Dec 28 2001 Florian La Roche +- add hack to not link against libmd5, even if available + +* Fri Dec 28 2001 Florian La Roche +- update to 1.8.1 + +* Thu Dec 13 2001 Florian La Roche +- update to 1.8 +- also include md5global to get it compile + +* Sun Nov 18 2001 Florian La Roche +- update to 1.7.1 + +* Wed Sep 5 2001 Phil Knirsch 1.7-3 +- Added va_args patch required for S390. + +* Mon Sep 3 2001 Trond Eivind Glomsrød 1.7-2 +- Configure with ssl support (duh - #53116) +- s/Copyright/License/ + +* Wed Jun 6 2001 Trond Eivind Glomsrød +- 1.7 +- Require perl for building (to get man pages) +- Don't include the Japanese po file, it's now included +- Use %%{_tmppath} +- no patches necessary +- Make /etc/wgetrc noreplace +- More docs + +* Tue Jan 30 2001 Trond Eivind Glomsrød +- Norwegian isn't a iso-8859-2 locale, neither is Danish. + This fixes #15025. +- langify + +* Sat Jan 6 2001 Bill Nottingham +- escape %%xx characters before fnmatch (#23475, patch from alane@geeksrus.net) + +* Fri Jan 5 2001 Bill Nottingham +- update to 1.6, fix patches accordingly (#23412) +- fix symlink patch (#23411) + +* Mon Dec 18 2000 Yukihiro Nakai +- Add Japanese and Korean Resources + +* Tue Aug 1 2000 Bill Nottingham +- setlocale for LC_CTYPE too, or else all the translations think their + characters are unprintable. + +* Thu Jul 13 2000 Prospector +- automatic rebuild + +* Sun Jun 11 2000 Bill Nottingham +- build in new environment + +* Mon Jun 5 2000 Bernhard Rosenkraenzer +- FHS compliance + +* Thu Feb 3 2000 Bill Nottingham +- handle compressed man pages + +* Thu Aug 26 1999 Jeff Johnson +- don't permit chmod 777 on symlinks (#4725). + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 4) + +* Fri Dec 18 1998 Bill Nottingham +- build for 6.0 tree +- add Provides + +* Sat Oct 10 1998 Cristian Gafton +- strip binaries +- version 1.5.3 + +* Sat Jun 27 1998 Jeff Johnson +- updated to 1.5.2 + +* Thu Apr 30 1998 Cristian Gafton +- modified group to Applications/Networking + +* Wed Apr 22 1998 Cristian Gafton +- upgraded to 1.5.0 +- they removed the man page from the distribution (Duh!) and I added it back + from 1.4.5. Hey, removing the man page is DUMB! + +* Fri Nov 14 1997 Cristian Gafton +- first build against glibc